13 May 2018

Australian Data Breach Regime and Equifax

The incisive 'The introduction of data breach notification legislation in Australia: A comparative view' by Angela Daly in (2018) 34(3) Computer Law and Security Review states
This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.
A perspective is provided in Breach of Trust: CFPB’s Complaint Database Shows Consumers Need Help After Equifax Breach from US Senators Elizabeth Warren, Brian Schatz and Robert Menendez regarding the September 2017 data breach at the global giant whose Australian arm absorbed the controversial Veda credit referencing business.

The report states
On September 7th, 2017, Equifax announced that it had allowed hackers to access the sensitive information of more than 143 million Americans in one of the largest security breaches of consumer data in history. In the wake of that breach, Equifax promised to make things right. Almost immediately, consumers used the Consumer Financial Protection Bureau’s (CFPB) consumer complaint hotline to register problems and concerns with the breach and Equifax’s response to it. This analysis contains the first comprehensive review of consumer complaints in the wake of the Equifax breach. It finds that, in the six months following the breach’s announcement, the CFPB received more than 20,000 complaints from consumers about the impact of the breach, problems with the Equifax response, or other issues with the company – nearly double the amount of complaints received regarding Equifax in the six months prior to the announcement. 
The number and nature of these complaints is particularly important because of public reports that cast doubt upon the CFPB’s investigation of Equifax and the agency’s commitment to assist consumers and address the fallout of the breach. In early February, reports indicated that the CFPB, under the new leadership of Office of Management and Budget (OMB) Director Mick Mulvaney, had declined to collaborate with other regulators in investigating Equifax and may have abandoned its own investigation. While the CFPB has confirmed that an inquiry is still open, reports suggest that the agency has slowed down or stalled the investigation into the Equifax breach and its impact on consumers. 
This report concludes that, based on the thousands of complaints received by the agency, the CFPB should act quickly and aggressively to hold Equifax accountable. Specific findings include:
• In six months between September 7, 2017, when Equifax announced the breach of sensitive consumer information, and March 7, 2018, consumers have filed more than 20,000 complaints regarding Equifax 
• The CFPB received more than 7,000 complaints of improper use of a credit report after the breach, the risks of which jumped after Equifax exposed credit card numbers, birth dates, social security numbers, and other personal information belonging to millions of Americans 
• The CFPB received more than 7,000 complaints of incorrect information on a credit report, a problem made significantly more prevalent by the increased risk of identity theft in the aftermath of the Equifax breach 
• The CFPB received more than 3,000 complaints about Equifax’s inadequate assistance in resolving problems after the breach, highlighting Equifax’s inability or unwillingness to assist consumers with their concerns 
• The CFPB received more than 1,500 complaints regarding Equifax’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products, demonstrating the company’s inadequate consumer support services in the wake of the breach
Consumers are facing myriad problems even six months after the breach, and continue to seek assistance from the CFPB. Specific complaints reported by consumers included:
• A consumer who had their “opportunity for employment...denied because of [their] Equifax credit report,” and despite apparently proving that fraud had led to the false accounts being placed on their file, was unable to get help after Equifax “re inserted” both accounts onto their report. 
• A consumer who, in the wake of the breach “was redirected to call 6 different phone numbers,” and when they were unable to get additional assistance from Equifax, their finances were “frozen for over a month,” causing them “extreme hardship.” 
• Consumers who were materially injured by Equifax’s negligent cybersecurity and reckless response to the breach. One consumer faced problems with their Equifax credit report that were “damaging [their] credit rating” when they were “in the process of buying a house.” 
• Another consumer who, after learning that their “information was part of the Equifax breach,” was unable to get Equifax to remove fraudulent accounts and inquiries from their report despite trying “multiple times,” even filing a police report over the false accounts listed on their report. 
• Another consumer who complained that Equifax had not contacted them to provide assistance with similar problems, specifically adding that “I have been a victim of identity theft and I have suffered from the credit breach.” 
Equifax continued to keep important information from the public, leaving consumers to fend for themselves. This report provides strong evidence that the CFPB must hold the company accountable and act decisively to protect the millions of consumers harmed by this breach. 
On September 7, 2017, Equifax announced that it had allowed hackers to access the sensitive information of more than 143 million Americans in one of the largest security breaches of consumer data in history. After failing to adopt strict cybersecurity measures to protect valuable consumer data, Equifax then mishandled the aftermath of the breach, failing to properly assist consumers, and in some cases, making the situation even worse. The company waited 40 days to alert consumers and regulators; initially asked that consumers waive their rights to file lawsuits just to receive free credit monitoring services; increased their profits through their partnership with LifeLock because of the ensuing rush for credit protection; and set up frustrating and ineffective call centers and other consumer support measures. 
Five months after the breach, reports indicated that Equifax was continuing to withhold information from the public about the extent of the breach. We still do not fully understand the scope of the harm to consumers or what measures Equifax is taking to avoid such catastrophic failures of cybersecurity and consumer support in the future. 
The Consumer Financial Protection Bureau was established by the Dodd-Frank Wall Street Reform and Consumer Protection Act in order to enforce federal consumer protection laws. The CFPB is responsible for protecting consumers from “unfair, deceptive, or abusive acts and practices.”3 The CFPB also has clear supervisory authority over large consumer reporting agencies, including Equifax. 
In his response to Senator’s Warren’s September 2017 letter to the CFPB, former Director Richard Cordray outlined the bureau’s authority over Equifax and efforts to investigate the breach and assist consumers. He described the CFPB’s “authority...to review the data security practices of financial institutions... to determine whether such practices violate Federal consumer financial laws...which include prohibitions on unfair, deceptive, or abusive acts and practices.” He added that the CFPB “is the only Federal agency that has any supervisory authority over the larger consumer reporting companies.” 
Director Cordray also noted that the “recent breach at Equifax poses an enormous threat to consumers,” and given that risk, informed Senator Warren that the bureau was “currently looking into the data breach and Equifax’s response.” More specifically, he claimed that the bureau was “working with our Federal and state partners to respond to the problems at Equifax,” including through efforts with other banking regulatory agencies. Director Cordray committed that the CFPB would “continue to examine and investigate consumer reporting companies,” adding that “a breach of this magnitude calls for a coordinated response.” 
Despite the severe threat to consumers and the authority and responsibility of the CFPB to investigate and respond to such threats, recent reports indicate that under the control of Office of Management and Budget Director Mick Mulvaney, the agency may have slowed down or stalled its investigation into the Equifax breach. The investigation has reportedly “sputtered since” Mr. Mulvaney took over at the CFPB, because he has “not ordered subpoenas against Equifax or sought sworn testimony from executives,” both of which are “routine steps when launching a full-scale probe.”  Furthermore, reports suggest that the CFPB “rebuffed bank regulators...when they offered to help with on-site exams of credit bureaus,” despite former Director Cordray making it clear that this cooperation was both necessary and welcome. 
In response to our inquiry, Mr. Mulvaney stated that “it is a matter of public record that the Bureau is looking into Equifax’s data breach and response,” and that any claims that there is no such investigation “are incorrect.” But Mr. Mulvaney did not specify whether the reporting about the sluggishness of his investigation is correct. Mr. Mulvaney also did not comment on whether the CFPB had stopped examining credit bureaus, or whether it had rejected offers of assistance from other bank regulators. 
Mr. Mulvaney has stated that the bureau “will be focusing on quantifiable and unavoidable harm to the consumer,” and that “quantitative analysis” would drive the work, stating, “there’s a lot more math in our future.”  Mr. Mulvaney also told his employees that “we will be prioritizing[,]” – and specifically cited – the number of complaints received on certain issues as a factor that would determine investigative priorities.  The CFPB’s consumer complaint database collects complaints from consumers around the country on a variety of issues, offering a quantitative look at the problems plaguing consumers. As Mr. Mulvaney noted, the database should serve as a guide for the bureau. 
This report does the math. It analyzes data and individual complaints from the CFPB’s consumer complaint database in order to determine the extent of the impact of the Equifax breach on consumers, the effectiveness of the CFPB response, and whether this data justified a CFPB investigation. Staff reviewed complaints that mention “Equifax” between September 7, 2017, the day the breach was announced, and March 7, 2018. Staff also read through individual complaints to understand the issues facing consumers. 
The results of this staff review of CFPB complaints about Equifax reveal that consumers filed 21,921 complaints in the six months after Equifax announced the massive breach of consumer data – nearly double the amount of complaints related to Equifax in the six months preceding the announcement – and more complaints arrive every day. And while complaints regarding Equifax nearly doubled, consumer complaints filed regarding the company’s competitors, TransUnion and Experian, remained roughly the same or increased only slightly during the same period. 
From September 7, 2017 through March 7, 2018 – the six months after Equifax announced the breach – consumers filed 21,921 complaints regarding Equifax.  In the six months prior to the announcement, consumer filed only 11,973 complaints.